CVE-2026-3706 Overview
CVE-2026-3706 affects mkj Dropbear SSH versions up to 2025.89. The flaw resides in the unpackneg function within src/curve25519.c, part of the S Range Check component. The implementation performs improper verification of cryptographic signatures [CWE-345], creating a signature malleability condition in the Ed25519 code path. The project maintainer disputes practical exploitability, stating that signature malleability is not exploitable in the SSH protocol and that available proof-of-concept code targets the internal API rather than SSH itself. The attack vector is network-based but rated as high complexity and difficult to exploit.
Critical Impact
The issue allows manipulation of Ed25519 signature verification at the internal API level, though SSH protocol exploitation has not been demonstrated and the existence of practical impact remains disputed.
Affected Products
- mkj Dropbear SSH up to and including version 2025.89
- The unpackneg function in src/curve25519.c
- S Range Check component of the Ed25519 implementation
Discovery Timeline
- 2026-03-08 - CVE-2026-3706 published to NVD
- 2026-04-22 - Last updated in NVD database
Technical Details for CVE-2026-3706
Vulnerability Analysis
The vulnerability is a cryptographic signature verification weakness classified under [CWE-345] (Insufficient Verification of Data Authenticity). The defect resides in the unpackneg routine of src/curve25519.c, which handles point decompression for Curve25519 used by Ed25519 signature operations. Improper range checking during this unpacking step allows non-canonical encodings to be accepted, producing signature malleability where multiple distinct signatures can validate against the same message and key. The maintainer's response on GitHub Issue #406 and Pull Request #407 clarifies that the SSH protocol itself does not rely on signature uniqueness in a way that exposes the application layer. Proof-of-concept code exercises the internal cryptographic API directly, not the SSH handshake.
Root Cause
The root cause is missing canonical-form validation when decoding a compressed Curve25519 point. The unpackneg function fails to reject field elements outside the canonical range modulo 2^255 - 19. Accepting non-canonical encodings breaks the strict uniqueness property required by Ed25519 verification.
Attack Vector
An attacker with network reach can submit crafted signatures to APIs that call the affected verification path. Exploitation against the SSH protocol surface is not demonstrated and is considered impractical by the maintainer. The high attack complexity reflects the cryptographic precision required to construct malleable signatures.
No verified exploitation code is available. Technical details are documented in the Dropbear GitHub Issue #406 and the related ed25519-java issue analysis.
Detection Methods for CVE-2026-3706
Indicators of Compromise
- No public indicators of compromise have been published, consistent with the disputed exploitability status and the absence of SSH-level proof-of-concept code.
- Anomalous repeated authentication attempts against Dropbear services using Ed25519 keys may warrant inspection of session logs.
Detection Strategies
- Inventory all Dropbear SSH installations and compare reported versions against the vulnerable range up to 2025.89.
- Verify the presence of patch commit fdec3c90a15447bd538641d85e5a3e3ac981011d in deployed source builds, particularly on embedded devices and OpenWrt-based systems.
- Audit any custom applications that link Dropbear's cryptographic functions directly, as these expose the internal API path where the issue is reachable.
Monitoring Recommendations
- Collect SSH daemon logs centrally and alert on unusual Ed25519 authentication patterns or repeated signature verification failures.
- Track upstream Dropbear releases and downstream vendor advisories for distribution-specific patches.
- Monitor configuration management systems to ensure patched Dropbear binaries replace vulnerable builds on all hosts.
How to Mitigate CVE-2026-3706
Immediate Actions Required
- Apply the upstream patch identified by commit hash fdec3c90a15447bd538641d85e5a3e3ac981011d from the Dropbear repository.
- Rebuild and redeploy Dropbear on affected systems, prioritizing devices that expose the cryptographic API beyond the SSH server.
- Review any third-party software that statically links Dropbear's curve25519.c to ensure it is also rebuilt against the patched source.
Patch Information
The fix is published in commit fdec3c90a15447bd538641d85e5a3e3ac981011d and tracked under Pull Request #407. The patch adds proper range validation in unpackneg to reject non-canonical encodings during Curve25519 point decompression. Users should pull the latest source from the mkj/dropbear repository and rebuild.
Workarounds
- No vendor-supplied workaround exists; patching is the recommended remediation.
- Restrict SSH access through network controls such as firewall rules, jump hosts, or VPN gating to reduce exposure while patch deployment is scheduled.
- Where Dropbear cryptographic functions are exposed beyond SSH, isolate those services or disable Ed25519 authentication until the patch is applied.
# Build Dropbear from patched source
git clone https://github.com/mkj/dropbear.git
cd dropbear
git checkout fdec3c90a15447bd538641d85e5a3e3ac981011d
autoconf && autoheader
./configure
make
sudo make install
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
